search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
gssapi: check for gss_acquire_cred_from
[Samba.git] / source3 / lib / smbrun.c
blob3b7ed542ab2bca19f6318861b07e6dac78e96b99
1 /*
2 Unix SMB/CIFS implementation.
3 run a command as a specified user
4 Copyright (C) Andrew Tridgell 1992-1998
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include "includes.h"
21 #include "system/filesys.h"
22
23 /* need to move this from here!! need some sleep ... */
24 struct current_user current_user;
25
26 /****************************************************************************
27 This is a utility function of smbrun().
28 ****************************************************************************/
29
30 static int setup_out_fd(void)
31 {
32 int fd;
33 TALLOC_CTX *ctx = talloc_stackframe();
34 char *path = NULL;
35 mode_t mask;
36
37 path = talloc_asprintf(ctx,
38 "%s/smb.XXXXXX",
39 tmpdir());
40 if (!path) {
41 TALLOC_FREE(ctx);
42 errno = ENOMEM;
43 return -1;
44 }
45
46 /* now create the file */
47 mask = umask(S_IRWXO | S_IRWXG);
48 fd = mkstemp(path);
49 umask(mask);
50
51 if (fd == -1) {
52 DEBUG(0,("setup_out_fd: Failed to create file %s. (%s)\n",
53 path, strerror(errno) ));
54 TALLOC_FREE(ctx);
55 return -1;
56 }
57
58 DEBUG(10,("setup_out_fd: Created tmp file %s\n", path ));
59
60 /* Ensure file only kept around by open fd. */
61 unlink(path);
62 TALLOC_FREE(ctx);
63 return fd;
64 }
65
66 /****************************************************************************
67 run a command being careful about uid/gid handling and putting the output in
68 outfd (or discard it if outfd is NULL).
69 ****************************************************************************/
70
71 static int smbrun_internal(const char *cmd, int *outfd, bool sanitize,
72 char * const *env)
73 {
74 pid_t pid;
75 uid_t uid = current_user.ut.uid;
76 gid_t gid = current_user.ut.gid;
77 void (*saved_handler)(int);
78
79 /*
80 * Lose any elevated privileges.
81 */
82 drop_effective_capability(KERNEL_OPLOCK_CAPABILITY);
83 drop_effective_capability(DMAPI_ACCESS_CAPABILITY);
84
85 /* point our stdout at the file we want output to go into */
86
87 if (outfd && ((*outfd = setup_out_fd()) == -1)) {
88 return -1;
89 }
90
91 /* in this method we will exec /bin/sh with the correct
92 arguments, after first setting stdout to point at the file */
93
94 /*
95 * We need to temporarily stop CatchChild from eating
96 * SIGCLD signals as it also eats the exit status code. JRA.
97 */
98
99 saved_handler = CatchChildLeaveStatus();
100
101 if ((pid=fork()) < 0) {
102 DEBUG(0,("smbrun: fork failed with error %s\n", strerror(errno) ));
103 (void)CatchSignal(SIGCLD, saved_handler);
104 if (outfd) {
105 close(*outfd);
106 *outfd = -1;
107 }
108 return errno;
109 }
110
111 if (pid) {
112 /*
113 * Parent.
114 */
115 int status=0;
116 pid_t wpid;
117
118
119 /* the parent just waits for the child to exit */
120 while((wpid = waitpid(pid,&status,0)) < 0) {
121 if(errno == EINTR) {
122 errno = 0;
123 continue;
124 }
125 break;
126 }
127
128 (void)CatchSignal(SIGCLD, saved_handler);
129
130 if (wpid != pid) {
131 DEBUG(2,("waitpid(%d) : %s\n",(int)pid,strerror(errno)));
132 if (outfd) {
133 close(*outfd);
134 *outfd = -1;
135 }
136 return -1;
137 }
138
139 /* Reset the seek pointer. */
140 if (outfd) {
141 lseek(*outfd, 0, SEEK_SET);
142 }
143
144 #if defined(WIFEXITED) && defined(WEXITSTATUS)
145 if (WIFEXITED(status)) {
146 return WEXITSTATUS(status);
147 }
148 #endif
149
150 return status;
151 }
152
153 (void)CatchChild();
154
155 /* we are in the child. we exec /bin/sh to do the work for us. we
156 don't directly exec the command we want because it may be a
157 pipeline or anything else the config file specifies */
158
159 /* point our stdout at the file we want output to go into */
160 if (outfd) {
161 close(1);
162 if (dup2(*outfd,1) != 1) {
163 DEBUG(2,("Failed to create stdout file descriptor\n"));
164 close(*outfd);
165 exit(80);
166 }
167 }
168
169 /* now completely lose our privileges. This is a fairly paranoid
170 way of doing it, but it does work on all systems that I know of */
171
172 become_user_permanently(uid, gid);
173
174 if (!non_root_mode()) {
175 if (getuid() != uid || geteuid() != uid ||
176 getgid() != gid || getegid() != gid) {
177 /* we failed to lose our privileges - do not execute
178 the command */
179 exit(81); /* we can't print stuff at this stage,
180 instead use exit codes for debugging */
181 }
182 }
183
184 #ifndef __INSURE__
185 /* close all other file descriptors, leaving only 0, 1 and 2. 0 and
186 2 point to /dev/null from the startup code */
187 {
188 int fd;
189 for (fd=3;fd<256;fd++) close(fd);
190 }
191 #endif
192
193 {
194 char *newcmd = NULL;
195 if (sanitize) {
196 newcmd = escape_shell_string(cmd);
197 if (!newcmd)
198 exit(82);
199 }
200
201 if (env != NULL) {
202 execle("/bin/sh","sh","-c",
203 newcmd ? (const char *)newcmd : cmd, NULL,
204 env);
205 } else {
206 execl("/bin/sh","sh","-c",
207 newcmd ? (const char *)newcmd : cmd, NULL);
208 }
209
210 SAFE_FREE(newcmd);
211 }
212
213 /* not reached */
214 exit(83);
215 return 1;
216 }
217
218 /****************************************************************************
219 Use only in known safe shell calls (printing).
220 ****************************************************************************/
221
222 int smbrun_no_sanitize(const char *cmd, int *outfd, char * const *env)
223 {
224 return smbrun_internal(cmd, outfd, false, env);
225 }
226
227 /****************************************************************************
228 By default this now sanitizes shell expansion.
229 ****************************************************************************/
230
231 int smbrun(const char *cmd, int *outfd, char * const *env)
232 {
233 return smbrun_internal(cmd, outfd, true, env);
234 }
235
236 /****************************************************************************
237 run a command being careful about uid/gid handling and putting the output in
238 outfd (or discard it if outfd is NULL).
239 sends the provided secret to the child stdin.
240 ****************************************************************************/
241
242 int smbrunsecret(const char *cmd, const char *secret)
243 {
244 pid_t pid;
245 uid_t uid = current_user.ut.uid;
246 gid_t gid = current_user.ut.gid;
247 int ifd[2];
248 void (*saved_handler)(int);
249
250 /*
251 * Lose any elevated privileges.
252 */
253 drop_effective_capability(KERNEL_OPLOCK_CAPABILITY);
254 drop_effective_capability(DMAPI_ACCESS_CAPABILITY);
255
256 /* build up an input pipe */
257 if(pipe(ifd)) {
258 return -1;
259 }
260
261 /* in this method we will exec /bin/sh with the correct
262 arguments, after first setting stdout to point at the file */
263
264 /*
265 * We need to temporarily stop CatchChild from eating
266 * SIGCLD signals as it also eats the exit status code. JRA.
267 */
268
269 saved_handler = CatchChildLeaveStatus();
270
271 if ((pid=fork()) < 0) {
272 DEBUG(0, ("smbrunsecret: fork failed with error %s\n", strerror(errno)));
273 (void)CatchSignal(SIGCLD, saved_handler);
274 return errno;
275 }
276
277 if (pid) {
278 /*
279 * Parent.
280 */
281 int status = 0;
282 pid_t wpid;
283 size_t towrite;
284 ssize_t wrote;
285
286 close(ifd[0]);
287 /* send the secret */
288 towrite = strlen(secret);
289 wrote = write(ifd[1], secret, towrite);
290 if ( wrote != towrite ) {
291 DEBUG(0,("smbrunsecret: wrote %ld of %lu bytes\n",(long)wrote,(unsigned long)towrite));
292 }
293 fsync(ifd[1]);
294 close(ifd[1]);
295
296 /* the parent just waits for the child to exit */
297 while((wpid = waitpid(pid, &status, 0)) < 0) {
298 if(errno == EINTR) {
299 errno = 0;
300 continue;
301 }
302 break;
303 }
304
305 (void)CatchSignal(SIGCLD, saved_handler);
306
307 if (wpid != pid) {
308 DEBUG(2, ("waitpid(%d) : %s\n", (int)pid, strerror(errno)));
309 return -1;
310 }
311
312 #if defined(WIFEXITED) && defined(WEXITSTATUS)
313 if (WIFEXITED(status)) {
314 return WEXITSTATUS(status);
315 }
316 #endif
317
318 return status;
319 }
320
321 (void)CatchChild();
322
323 /* we are in the child. we exec /bin/sh to do the work for us. we
324 don't directly exec the command we want because it may be a
325 pipeline or anything else the config file specifies */
326
327 close(ifd[1]);
328 close(0);
329 if (dup2(ifd[0], 0) != 0) {
330 DEBUG(2,("Failed to create stdin file descriptor\n"));
331 close(ifd[0]);
332 exit(80);
333 }
334
335 /* now completely lose our privileges. This is a fairly paranoid
336 way of doing it, but it does work on all systems that I know of */
337
338 become_user_permanently(uid, gid);
339
340 if (!non_root_mode()) {
341 if (getuid() != uid || geteuid() != uid ||
342 getgid() != gid || getegid() != gid) {
343 /* we failed to lose our privileges - do not execute
344 the command */
345 exit(81); /* we can't print stuff at this stage,
346 instead use exit codes for debugging */
347 }
348 }
349
350 #ifndef __INSURE__
351 /* close all other file descriptors, leaving only 0, 1 and 2. 0 and
352 2 point to /dev/null from the startup code */
353 {
354 int fd;
355 for (fd = 3; fd < 256; fd++) close(fd);
356 }
357 #endif
358
359 execl("/bin/sh", "sh", "-c", cmd, NULL);
360
361 /* not reached */
362 exit(82);
363 return 1;
364 }
Samba GIT mirror